Translating Assigns Clauses to GOTO Functions

Let's consider a contract foo (with corresponding pure contract contract::foo) with a __CPROVER_assigns(A) clause.

ret_t foo(foo-parameters) __CPROVER_assigns(A);

ait

ait supplies three of the four components needed: an abstract interpreter (in this case handling func...

Definition ai.h:562

We know the elements of A only depend on foo-parameters and global variables.

A new GOTO function with the following signature is generated:

void contract::foo::assigns(foo-parameters);

The body of the function generated from the elements of A as follows:

For each target cond: target where the target is an lvalue expression:
DECL __cond: bool;

ASSIGN __cond = <result of goto_convert(cond)>;

IF !__cond GOTO SKIP_TARGET;

CALL __CPROVER_assignable(&target, sizeof(target), has_ptr_type(target));

SKIP_TARGET: SKIP;

DEAD __cond;

__CPROVER_assignable
void __CPROVER_assignable(void *ptr, __CPROVER_size_t size, __CPROVER_bool is_ptr_to_ptr)

goto_convert
void goto_convert(const codet &code, symbol_table_baset &symbol_table, goto_programt &dest, message_handlert &message_handler, const irep_idt &mode)
Definition goto_convert.cpp:2187

DEAD
@ DEAD
Definition goto_program.h:48

ASSIGN
@ ASSIGN
Definition goto_program.h:46

SKIP
@ SKIP
Definition goto_program.h:38

DECL
@ DECL
Definition goto_program.h:47

GOTO
@ GOTO
Definition goto_program.h:34

where has_ptr_type(target) returns true if the target has a pointer-type;
For each target cond: f(parameters), where f is a void-typed function:
DECL __cond: bool;

ASSIGN __cond = <result of goto_convert(cond)>;

IF !__cond GOTO SKIP_TARGET;

CALL f(parameters);

SKIP_TARGET: SKIP;

DEAD __cond;

Remark: The condition expressions needs to be goto_converted during translation since they come directly from the front-end and are allowed to contain function calls.

The rewriting pass Rewriting Assigns Clause Functions is applied to transform the function into a function that accepts two write set parameters: The first one is the write set that gets populated with assignable locations specified by the function, the second is a write set that is used by the function to check its side effects.

void contract::foo::assigns(
 
  // function parameters
  foo-parameters,
 
  // write set to populate with new targets
  __CPROVER_contracts_write_set_ptr_t __write_set_to_fill,
 
  // write set against which to check itself for unwanted side effects
  __CPROVER_contracts_write_set_ptr_t __write_set_to_check);

The rewriting step Generating Havoc Functions from Assigns Clause Functions is also applied to the function in order to generate a havoc function that can be used to model contract replacement:

void contract::foo::havoc(__CPROVER_contracts_write_set_ptr_t __write_set_to_havoc);

Translating Frees Clauses to GOTO Functions

Let's consider a contract foo (with corresponding pure contract contract::foo) with a __CPROVER_frees(F) clause.

ret_t foo(foo-parameters) __CPROVER_frees(F);

We know the elements of F only depend on foo-parameters and global variables.

A new GOTO function with the following signature is generated:

void contract::foo::frees(foo-parameters);

The body of the function generated from the elements of F as follows:

For each element of the form cond: expr where expr is a pointer-typed expression:
DECL __cond: bool;

ASSIGN __cond = <result of goto_convert(cond)>;

IF !__cond GOTO SKIP_TARGET;

CALL __CPROVER_freeable(expr);

SKIP_TARGET: SKIP;

DEAD __cond;

__CPROVER_freeable
void __CPROVER_freeable(void *ptr)
For each target of the form cond: f(params) where f is a void-typed function:
DECL __cond: bool;

ASSIGN __cond = <result of goto_convert(cond)>;

IF !__cond GOTO SKIP_TARGET;

CALL f(params);

SKIP_TARGET: SKIP;

DEAD __cond;

Remark: The condition expressions needs to be goto_converted during translation since they come directly from the front-end and are allowed to contain function calls.

The resulting function is declarative, in the sense that it describes the contents of the frees clause but does not have any runtime effects.

The rewriting pass Rewriting Frees Clause Functions is applied to transform the function into a function that accepts two write set parameters: The first one is the write set that gets populated with freeable pointers specified by the function, the second is a write set that is used by the function to check its side effects.

void contract::foo::frees(
 
  // function parameters
  foo-parameters,
 
  // write set to populate with new targets
  __CPROVER_contracts_write_set_ptr_t __write_set_to_fill,
 
  // write set against which to check itself for unwanted side effects
  __CPROVER_contracts_write_set_ptr_t __write_set_to_check);

Prev	Next
Program Transformation Overview	Rewriting Declarative Assign and Frees Specification Functions

Table of Contents

Translating Assigns Clauses to GOTO Functions

Translating Frees Clauses to GOTO Functions